Combination-based broadcast encryption method

ABSTRACT

A combination-based broadcast encryption method includes: assigning by a server a base group of different combinations to each user; producing and sending secret information for each user by using as a base the base group allocated to each user; producing and sending an inverse-base parameter value through calculations with integers used to produce the base group and key value information of one or more privileged users; and deriving a group key by using the key value information of the privileged users, encrypting a session key by using the derived group key, and sending the encrypted session key to each user. Accordingly, each user is assigned a different base through a combination, thereby having security against collusion attacks.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority from Korean Patent Application No.2004-117701, filed on Dec. 31, 2004, the entire contents of which areincorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates a broadcast encryption method, and moreparticularly, to a broadcast encryption method being secure againstcollusion attacks.

2. Description of the Related Art

In general, the encryption systems are classified into a symmetric key(also referred to as a secret key) encryption system and an asymmetrickey (also referred to as a public key) encryption system.

The symmetric key encryption system uses the same key for encryption anddecryption. For example, if a sender converts an original message intoan encrypted message through an encryption key and an encryptionalgorithm and sends the encrypted message to a receiver, the receiverconverts the encrypted message into the original message by applying thesame key to a decryption algorithm.

The receiver has to exchange keys safely prior to the encryptedcommunications, and a third party who attempts to view the encryptedcommunications can not view the original message without the keys thatthe sender and receiver have used. However, problems on key managementand exchanges can occur since the number of keys to be managedaccordingly increases if encrypted messages are to be sent to moreparties.

Compared to the symmetric key encryption system, the asymmetric keyencryption system is based on mathematical functions, in which thereexists a pair of keys, wherein one of the keys is open to anyone elsefor its use, and the other key is kept secret. In here, the open key isreferred to as a public key, and the secretly-kept key is referred to asa private key.

In order for a sender and a receiver to perform encryptioncommunications by using the public key, the sender first encrypts anoriginal message by using a public key of the receiver to send theencrypted message to the receiver, and the receiver decrypts theencrypted message by using a private key of his own to obtain theoriginal message. Even though someone gets an encrypted message on anetwork, data can be safely sent since the encrypted message can not bedecrypted without the private key which is kept by its owner all thetime and has no need to be open or sent to others.

On the other hand, the symmetric key (or cipher) is mainly used toencrypt or decrypt broadcast streams, because the encryption anddecryption can be carried out very rapidly when the symmetric key isused and the symmetric key can be safely sent through a limited accesssystem to which only authenticated are accessible.

Contents creators create various useful data such as audio and videodata in a data transmission system based on general broadcastencryptions, and provide the created data with service providers. Theservice providers broadcast the data of the contents creators throughvarious wire and wireless communication networks to authorized userssuch as smart home Digital Rights management (DRM) networks and mobileDRM networks.

FIG. 1 is a view for showing a general broadcast transmission system. InFIG. 1, a service provider 100 produces a broadcast message 110 andsends the broadcast message 110 to users through various transmissionchannels 120. In here, the broadcast message 110 is sent to privilegedusers 130 as well as to revoked users. Thus, the service provider 100allocates a separate key to encrypt the broadcast message 110 in orderfor the privileged users 130 to read the sent broadcast message 110.Therefore, an important issue in the broadcast system is the method ofproducing a certain group key in order for only the privileged users 130to decrypt the encrypted broadcast message.

For example, the service provider 100 can send data through satellitesto users devices such as set-top boxes coming with various satellitereceivers, as well as send the data to mobile communication terminalsthrough mobile communication networks. Further, the service provider 100can send the data to various terminals on a smart home network throughthe Internet.

On the other hand, the service provider 100 encrypts the data by usingbroadcast encryption (BE) to prevent unauthorized users from using thedata.

The security in such an encryption/decryption system mainly depends on asystem for managing encryption keys. Further, methods for deriving keysis most important in such an encryption key management system. Inaddition, it is important to manage and update the derived encryptionkeys.

On the other hand, the data transmission method by using the public keyis a method for sending data including key values of authorized userswhen data is sent. That is, data sent by the service provider 100through broadcast/home networks contains a header portion havingauthentication information and an encrypted data portion havingsubstantial data information.

Thus, the header portion contains a group identifier (ID) and key valueinformation of authenticated users included in each authorized group sothat, of plural users, data can be sent to only the users of theauthorized groups.

Therefore, if data is encrypted and sent through a certificaterevocation list/online certificate status protocol (CRL/OCSP) includinga CRL and OCSP information, users receiving the data check their own keyvalue information included in the header portion of the data, getauthenticated in due course, and use their desired data.

On the other hand, the header portion in the broadcast encryption (BE)scheme contains only information of a group ID and a key value for acertain group. Thus, the privileged users of authenticated groups canuse their own group key values in order to decrypt the received datainto original data.

There exist methods disclosed in the “Broadcast Encryption” (Fiat etal., Crypto '93 LINCS vol. 839, pp 480-491, which is, hereinafter,referred to as the “Fiat algorithm”) as the other methods forbroadcasting encryption keys. The ‘Fiat algorithm’ proposes two basicbroadcast encryption algorithms and an algorithm having higher securityagainst collusion attacks.

Hereinafter, a brief description will provided for the Fiat algorithm.Coefficients are first defined as below for the description of the Fiatalgorithm.

-   -   U: Set of users with |U|=n    -   P: Set of privileged users with |U−P|=r    -   N: RSA composite    -   y₁, . . . , y_(n): Distinct primes    -   usr_(i): An user in U where 1≦i≦n    -   O: A positive integer satisfying 1<0<N

The Fiat algorithm enables a server to produce system coefficients N,y₁, . . . , y_(n), and O, of the defined coefficients, in the systeminitialization step, and discloses the coefficients N, y₁, . . . ,y_(n), of the system coefficients, in order for anyone to look them up.Further, if a user usr_(i) subscribes to services, the server carriesout tasks as below:

1. assign a value y_(i) to a user usr_(i)

-   -   2. calculate secret information, u_(i)═O^(y) ^(i) _((mod N)), of        the user usr_(i)

3. send the calculated secret information safely to the user usr_(i)

The initialization and user subscription steps are completed through theabove tasks. Now, if given a group of privileged users, P⊂U, a group keyK_(p) for each user is expressed in Equation 1 as follows:$\begin{matrix}{K_{p} = {O^{\prod\limits_{{usr}_{s} \in P}\quad{ys}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 1} \right\rbrack\end{matrix}$

Users included in P can use the value u_(i) assigned from the server tocalculate the group key K_(p) of Equation 1 by using Equation 2 asfollows: $\begin{matrix}{K_{p} = {{u_{i}}^{\prod\limits_{{usr}_{s} \in {P - {({usr}_{i})}}}\quad{ys}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 2} \right\rbrack\end{matrix}$

Unauthorized subscribers or revocaters who are not normal subscribershave, in the exponent part u_(i), the distinct prime y_(i) not includedin the exponent part of K_(p), so the group key K_(p) can be calculatedwhen the distinct prime y_(i) is eliminated from the exponent part.

However, the calculation is practically impossible due to a problem of‘difficult prime factorization of N’. Thus, the broadcast encryptionbecomes possible for privileged users through the above method.

However, the above Fiat algorithm causes a serious security problem whentwo users, for example, usr₁ and usr₂, share the secret information eachother. That is, since y_(i) and y_(j) are primes to each other, integersa and b satisfying ay_(i)+by_(j)=1 can be easily obtained. Therefore,the two users can obtain a value of O being the secret systeminformation by using Equation 3 as below:u _(i) ^(a) u _(j) ^(b≡O) ^(ay) ^(i) ^(by) ^(j) =O(mod N)  [Equation 3]

Thus, the unauthorized users can obtain the group key K_(p) in allcircumstances by using the value of O. That is, if two malicious userscollude with each other, the two basic algorithms cause the system to beinsecure any further since the secret information of a serverbroadcasting contents is oozed out.

As above, systems referred to as “1-resilient systems” are ones secureagainst one aggressive operator but not secure against two aggressiveoperators. On the other hand, the Fiat algorithm proposes a k-resilientsystem based on the 1-resilient system, but has a problem of highinefficiency.

The k-resilient system is that receivers (t receivers at maximum)eliminate an arbitrary number of receivers colluding with one another.However, the method needs a relatively long message, a relatively manykeys stored in a receiver, and more-than-once decryption operations byeach receiver.

Further, the method does not take a stateless receiver scenario intoconsideration. There needs to avoid an assumption on how many receiverscollude with one another. Further, the message size and the number ofstored keys need to be minimized, and the decryption operations to becarried out by a receiver have to be minimized for optimal performance.

On the other hand, the other systems like the Fiat system do not providethe stateless receiver scenario, so that the other systems can not beeffectively applied to the protection of contents on recording media.

SUMMARY OF THE INVENTION

According to an aspect of the present invention, there is provided acombination-based broadcast encryption method, comprising steps ofproducing a base group through combinations of more-than-one integersout of plural different integers, and assigning the base group ofdifferent combinations to each user; producing secret information foreach user through calculations with key value information allocated to acorresponding user by using as a base the base group allocated to eachuser, and sending the produced secret information to each user;producing an inverse-base parameter value through calculations with aninteger used to produce the base group and key value information of oneor more privileged users, and sending the produced inverse-baseparameter value to each user, in order for only the privileged users ofplural users to eliminate the base group from the secret information;and deriving a group key by using the key value information of theprivileged users, and encrypting a session key with the derived groupkey and sending the encrypted session key to each user.

The integers for producing the base group are coprimes.

The inverse-base parameter value is calculated with one or more randomnumbers further included for security reasons.

Further, the one or more random numbers calculated in the inverse-baseparameter value are used for calculation for deriving the group key.

The server produces a server-own random value, and the secretinformation for each user is calculated with the produced server's ownrandom value included.

The one or more random numbers calculated in the inverse-base parametervalue is calculated with the server's own random value, and then sent toeach user.

The produced base of the secret information for each user contains abase group allocated to each user and a common integer commonly used forall users, and the group key is derived to have the base of the commoninteger.

The server sends, to each user, information of combinations forproducing a corresponding base group.

The server sends information of a key value allocated to the user everytime a broadcast message is sent.

According to an aspect of the present invention, there is provided acombination-based broadcast encryption method, comprising steps ofgrouping by a server into plural groups one upper group of plural usersreceiving a broadcast message, and assigning a key value tocorresponding users of each group; producing a base group for each groupthrough combinations of more-than-one integers of plural differentintegers, and assigning users of each group the base group producedthrough a different combination; producing an inverse-base parametervalue through calculations with integers used to produce the base groupand key value information of one or more privileged users, and sendingthe produced inverse-base parameter value to users of a correspondinggroup, in order for only the privileged users of the plural users toeliminate the base group from the secret information; and deriving agroup key for each group with the key value information of theprivileged users, encrypting a session key with the derived group key,and sending the encrypted session key to each user.

A random number is assigned to each group, and the random number isfurther included in calculating the secret information of each user tobe sent to the users of each group.

A random number assigned to a corresponding group is further included incalculating the inverse-base parameter value.

The group key for each group is calculated with a random number assignedto a corresponding group further included.

Integers for productions of the base group are coprimes.

The inverse-base parameter value is calculated with one or more randomnumbers further included for security reasons.

One or more random numbers calculated in the inverse-base parametervalue are used to calculate for derivation of the group key.

The server produces a server's own random number, and the producedserver-own random number is further included in calculating the secretinformation for each user.

One or more random numbers calculated in the inverse-base parametervalue are calculated with the server's own random number, and sent toeach user.

The produced base of the secret information for each user contains abase group assigned to each user and a common integer commonly used forall users, and the group key is derived to have the base of the commoninteger.

The server sends, to each user, the information of combinations forproducing a corresponding base group.

The server separately calculates an exponent part and a base part incalculating the inverse-base parameter value, and separately sends theexponent part and base part of the calculated inverse-base parametervalue.

Each group is grouped to plural sub-groups, a key value is assigned tousers of each sub-group, and secret information for each user isproduced through calculations with key value information assigned tousers of each sub-group.

If there are no unauthorized users in a specific group of the groups, aseparate key value assigned to each group is established as a group keyto the corresponding group.

The server sends the key value information assigned to the users everytime the server sends the broadcast message.

According to an aspect of the present invention, there is provided acombination-based broadcast encryption method, comprising steps ofproducing a base group through combinations of more-than-one integers ofplural different integers, and allocating the base group producedthrough a different combination for each user; producing secretinformation for each user through calculations with a key valueinformation allocated to a corresponding user by using as a base thebase group allocated to each user, and receiving by each user theproduced secret information for each user from a server; producing aninverse-base parameter value through calculations with integers used toproduce the base group and the key value information of one or moreprivileged users, and receiving by each of the users the producedinverse-base parameter value from the server, in order for only theprivileged users of plural users to eliminate the base group from thesecret information; calculating a group key by using the secretinformation for each user received from the server and the inverse-baseparameter value; and decrypting a session key received from the serverby using the calculated group key.

The integers for producing the base group are coprimes.

Further, the inverse-base parameter value is calculated with one or morerandom numbers further included for security reasons.

In here, one or more random numbers calculated in the inverse-baseparameter value are used for calculations to derive the group key.

The server produces a server's own random number, and the secretinformation for each user is calculated with the produced server-ownrandom number included.

One or more random numbers calculated in the inverse-base parametervalue are calculated with the server's own random number, and thenreceived.

A base of the produced secret information for each user contains thebase group assigned to each user and a common integer commonly used forall users, and the group key is derived by using the common integer as abase.

In here, each user receives, from the server, information of acombination for producing the corresponding base group.

The information of the key value assigned to each user is received fromthe server every time the broadcast message is sent.

According to an aspect of the present invention, there is provided acombination-based broadcast encryption method, comprising steps ofgrouping into plural groups one upper group having plural usersreceiving a broadcast message, and assigning a key value to users ofeach group; producing a base group for each group through combinationsof more-than-one integers of plural different integers, and assigningeach user of each group the base group produced through a differentcombination; producing secret information for each user throughcalculations with key value information assigned to users of each groupby using as a base the base group assigned to each user, and receivingby each user from a server the produced secret information for eachuser; producing an inverse-base parameter value through calculationswith the integers used to produce the base group and the key valueinformation of one or more privileged users of the plural users, andreceiving the produced inverse-base parameter value by users of eachcorresponding group from the server, in order for only the privilegedusers of the plural users to eliminate the base group from the secretinformation; calculating a group key for each group by using the secretinformation for each user received from the server and the inverse-baseparameter value; and decrypting a session key received from the serverby using the calculated group key for each group.

A random number is assigned to each group, and the random number isfurther included in calculating the secret information of each user tobe sent to the users of each group.

A random number assigned to the corresponding group is further includedin calculating the inverse-base parameter value.

The group key for each group is calculated with a random number assignedto the corresponding group further included.

Integers for productions of the base group are coprimes.

The inverse-base parameter value is calculated with one or more randomnumbers further included for security reasons.

One or more random numbers calculated in the inverse-base parametervalue are used to calculate for derivation of the group key.

The server produces a server's own random number, and the producedserver-own random number is further included in calculating the secretinformation for each user.

One or more random numbers calculated in the inverse-base parametervalue are calculated with the server's own random number, and receivedby each user.

A base of the produced secret information of each user contains a basegroup assigned to each user and a common integer commonly used for allusers, and the group key is derived to have the base of the commoninteger.

Users of each group receive from the server the information ofcombinations for producing the corresponding base group.

An exponent part and a base part are separately calculated incalculating the inverse-base parameter value, and the exponent part andbase part of the calculated inverse-base parameter value are eachreceived from the server.

Each group is grouped to plural sub-groups, a key value is assigned tocorresponding users of each sub-group, and secret information for eachuser is produced through calculations with key value informationassigned to the corresponding users of each sub-group.

If there are no unauthorized users in a specific group of the groups, aseparate key value assigned to each group is established as a group keyto the corresponding group.

48. The method as claimed in claim 35, wherein the key value informationassigned to the users is received from the server every time the_serversends the broadcast message.

In the conventional Fiat algorithm as above, the secret information ofu_(i)=O^(y) ^(i) (mod N) that the Fiat algorithm provides to individualusers contains one variable O and one equation. This enables thevariable O to be calculated according to the theory, that is, theInformation theory. However, if N is a composite number of two largeprimes, it is impossible to obtain the variable O according to thecomputation theory due to the difficulties of prime factorization.Considering the above, the Fiat algorithm can be referred to as the1-resilient system. On the contrary, if given the secret informationu_(i) and u_(j) of two users as above, one variable and two equationsare obtained, so it can not be said that the difficulties of primefactorization is applied even to here. Therefore, two substantiallycolluding users can easily calculate the variable O.

Since the Fiat algorithm has every user use the same base, that is, thevariable O, the present invention assigns a different base to each userin order to overcome the exposure to collusion attacks. To do so, thepresent invention uses ‘combinations’. Further, an additional mechanismis proposed to deal with revocators according to a modified exemplaryembodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and/or other aspects of the present invention will be moreapparent by describing certain exemplary embodiments of the presentinvention with reference to the accompanying drawings, in which:

FIG. 1 is a view for showing a general broadcast transmission system;

FIG. 2 is a view for conceptually showing grouping a user set intogroups according to first and second exemplary embodiment of the presentinvention;

FIG. 3 is a view for conceptually showing re-grouping a user group intosub-groups according to third, fourth, and fifth exemplary embodimentsof the present invention;

FIG. 4 is a view for showing a method of re-grouping a user group intosub-groups according to third, fourth, and fifth exemplary embodimentsof the present invention;

FIG. 5 is a view for showing a message format sent to each groupaccording to the fourth exemplary embodiment of the present invention;

FIG. 6 is a view for showing assignment of users to groups according tothe fifth exemplary embodiments of the present invention;

FIG. 7 is a flow chart for showing a process for assigning each user akey according to an exemplary embodiment of the present invention;

FIG. 8 is a flow chart for showing a process for assigning each user akey according to the first and second exemplary embodiments of thepresent invention;

FIG. 9 is a flow chart for showing a process for assigning each user akey according to the third, fourth, and fifth exemplary embodiments ofthe present invention;

FIG. 10 is a graph for comparing the transmission overheads of theexemplary embodiments of the present invention to those of prior art;and

FIG. 11 is a graph for comparing the index overheads of the exemplaryembodiments of the present invention to those of prior art.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

Hereinafter, description will be made on a method assigning a base toindividual users according to the present invention.

First, C integers, O₁, . . . , O_(c), have values larger than 1 butsmaller than N (1<O_(s)<N), and satisfy gcd(O_(s),N)=1. The number ofdifferent combinations is _(C)C_(d) when d numbers are chosen from theseC integers. Instead of a variable O as a base of the secret informationof each user, d integers are multiplied to produce a base group, and theuse of the produced base group, that is, O_(σi(1)), . . . , O_(σi(d)),enables a system to be secure against methods attacking the Fiatalgorithm. However, the many multiplications of integers fail toguarantee security against a few users' collusions since more equationsthan the number of variables can be provided. Thus, enough equationsshould not be provided in order for security to be guaranteed. That is,preparations can be made against all possible attacks by avoiding theuse of all _(C)C_(d) combinations.

Hereinafter, description will be made on a combination-based broadcastencryption method according to the basic exemplary embodiment of thepresent invention.

Prior to description on a basic exemplary embodiment of the presentinvention, coefficients necessary for the description on the basicexemplary embodiment are defined as below.

-   -   U: set of users with |U|=n    -   P: set of privileged users with |U−P|=r    -   N: RSA composite    -   ω, ν: random numbers    -   z: a large integer    -   κ: a session key    -   O: a positive integer satisfying I<O<N    -   O₁, . . . , O_(C): positive integers satisfying 1<O_(S)<N and        gcd(O_(S), N)=1    -   C, d: positive integers satisfying $n < \begin{pmatrix}        c \\        d        \end{pmatrix}$    -   O₁, . . . , O _(C) : positive integers satisfying I<O_(s)<N and        gcd(O_(S), N)=1    -   C, d: positive integers satisfying        ${2^{m - 1}n} < \left( \frac{\overset{\_}{c}}{d} \right)$    -   usr_(i): a user in U where 1≦i≦n.    -   {σ_(i)(1), . . . , σ_(i)(d)}: a set of integers for usr_(i)        where σ_(i) is an 1-1 map from {1, . . . , d} to {1, . . . , C},        σ_(i)(s)<σ_(i)(s+1) and σ_(i)'s are distinct.    -   usr_(ij): a user in U where 1≦i≦L, 1≦j≦1 and L1=n.    -   {σ_(ij)(1), . . . , σ_(ij)(d)}: a set of integer for usr_(ij)        where σ_(ij) is an 1-1 map from {1, . . . , d} to {1, . . . ,        C}, σ_(ij)(s)<σ_(ij)(s+1) and σ_(ij)'s are distinct.    -   usr_(ijk): a user in U where 1≦i≦L, 1≦j≦1, 1≦k≦m and Llm=n.        $\left\{ {{\sigma_{ijk}^{I}(1)},\ldots\quad,{\sigma_{ijk}^{I}\left( \overset{\_}{d} \right)}} \right\}$        where kεI⊂{1, . . . , m}: a set of integer for usr_(ijk) where        σ^(I) _(ijk) is an 1-1 map from {1, . . . , d} to {1, . . . ,        C}, {σ^(I) _(ijk)(s), . . . , σ^(I) _(ijk)(s+1)} and σ^(I)        _(ijk)'s are distinct.    -   Ui: {USr_(i jk)εU|1≦j≦l, 1≦k≦m}    -   U_(ij): {usr_(i jk)εU|1≦k≦m}    -   K_(i): a secret key for usr_(i) for 1≦i≦n    -   y₁, . . . , y_(n): distinct primes    -   K_(p): group key for        $P\left( {K_{p} \equiv {\left( {\omega^{d}O} \right)^{v{\prod\limits_{{usr}_{i} \in P}\quad y_{i}}}\left( {{mod}\quad N} \right)}} \right)$

In the conventional Fiat algorithm, O^(y) ^(i) is used as user secretinformation so that a variable O becomes known, but the method accordingto the basic exemplary embodiment of the present invention can make upfor the drawbacks to the disclosure of the variable O since a differentvalue O_(σ) _(i) (1), . . . , O_(σ) _(i) (d) is assigned as a base toeach user.

Hereinafter, description will be made on a broadcast encryption processaccording to the basic exemplary embodiment. The broadcast encryptionprocess has a setup step of server initialization and users'subscription, a group key calculation step of calculating a group keyshared between a server and privileged users in order to decrypt asession key, and an encrypted message broadcast step of assigning thesession key.

On the other hand, in the setup step being the first step of the processdetermines a user' storage amount, and the group key calculation stepbeing the second step determines a transmission rate and a calculationamount. The encrypted message broadcast step being the third stepencrypts the session key with the shared group key, and sends theencrypted session key.

As above, the basic exemplary embodiment of the present invention usesO_(σ) _(i) (1), . . . , O_(σ) _(i) (d) as a base of private secretinformation to be stored for calculations of a group key for each user.In here, the bases for all users are assigned a different value. On theother hand, if the bases for users are different from one another, thegroup key calculation step in Equation 4 as follows is needed tocalculate a group key. $\begin{matrix}{K_{p} = {\left( {\omega^{d}O} \right)^{v{\prod\limits_{{usr}_{i} \in P}\quad y_{i}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 4} \right\rbrack\end{matrix}$

In Equation 4, ω and ν are random numbers that a server generates atevery transmission, and are values for preventing that plural collectedgroup keys are used for collusion attacks. Further, ω and ν are valuesfor preparing for attacks extracting secret information of a server byuse of transmitted information O_(S), together with secret information zof the server and transmitted information V.

First, the setup step as the first step is as below.

That is, a server generates N, yi, C, d, O, O_(S), and σ_(i) as initialsetup values for all users i and s. Next, the server generates K_(i) byusing Equation 5 as follows to calculate a group key for each user.$\begin{matrix}{K_{i} \equiv {\left( {O_{\sigma_{i{(1)}}}\quad\ldots\quad O_{\sigma_{i{(d)}}}O} \right)^{{zy}_{i}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 5} \right\rbrack\end{matrix}$

In Equation 5, it can be seen that O_(σ_(i(1)))  …  O_(σ_(i(d)))Ois used, as above, as a base for the secret information K_(i) for eachuser, where O_(σ_(i(1)))  …  O_(σ_(i(d)))is a base group generated by using combinations of one or more integersof plural different integers (that is, coprimes), and each user has adifferent combination method. The combination method is identified byσ_(i) being an index of the above variable O. Further, the abovevariable O is one of the integers, and commonly included in the bases ofall users. Therefore, each user calculates a group key value byeliminating the base group from the secret information throughcalculations to be later described.

For example, if combinations are made when d integers are selected fromC integers, the _(C)C_(d) combinations become possible. The number ofcombinations is preferably set higher than the number of users.Therefore, a base group produced by using a different combination can beallocated to each user.

Further, the exponent part of the secret information K_(i) for each userbecomes key value information y_(i) allocated to each user. The keyvalue information can be shared with all users, but the secretinformation K_(i) is a value known only to corresponding users. On theother hand, the variable z included in the exponent part of the secretinformation is a server's own random value generated by the server andadded for security of the secret information.

Further, N, y_(i), and as are commonly provided to all users. The valueof N is an RSA composite value of a considerably large number, anddetermines integer values of the variable O for the base in the range ofthe value N. The y_(i) denotes key value information allocated to eachuser as aforementioned, and the σ_(i) denotes information oncombinations for producing the above base group.

Each user usr_(i) stores N, {y_(s)|1≦s≠i≦n}, and σ_(i) that are commonlysent, including the value of K_(i), from the server.

Therefore, the first step completely ends, and the second step isperformed as below for group key calculations.

First, the server produces ωand ν, and calculates and broadcasts V byusing Equation 6 as follows.V≡vz ⁻¹(mod φ(N))  [Equation 6]

Next, the server calculates and broadcasts O _(s) for 1≦s≦C by usingEquation 7 as follows. $\begin{matrix}{{\overset{\_}{O}}_{s} \equiv {\left( {\omega^{- 1}O_{s}} \right)^{{- v}{\prod\limits_{{usr}_{i} \in P}\quad y_{i}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 7} \right\rbrack\end{matrix}$

In here, the O _(s), becomes an inverse-base parameter value foreliminating a base group of the received secret information in order foreach user to derive a group key.

In Equation 7, the inverse-base parameter value has as a base eachinteger O_(s) used to produce the base group, and has an exponent partof key value information for each user allocated to all privileged usersP.

Further, ω and ν applied respectively to the base and exponent parts ofthe inverse-base parameter value are random numbers generated by theserver, produced at every transmission in order for the inverse-baseparameter value to be safely sent for security reasons, and used for thecalculations of the inverse-base parameter value.

Further, the value ν is calculated together with the server's own randomvalue z as stated in Equation 6, and sent separately to all users.

On the other hand, the each user usr_(i) uses the values (that is, eachuser's key value y_(i), combination information σ_(i), information onprivileged users P, secret information K_(i), inverse-base parametervalue O _(s), and the like) broadcast from the server to calculate agroup key value K_(p) by using Equation 8 as follows. $\begin{matrix}{K_{p} = {\left( {{\overset{\_}{O}}_{\sigma_{i}{(1)}}\quad\ldots\quad{\overset{\_}{O}}_{\sigma_{i}{(d)}}} \right) \times {K_{i}^{v{\prod\limits_{{usr}_{s} \in {P - {(i)}}}\quad y_{i}}}\left( {{mod}{\quad\quad}N} \right)}}} & \left\lbrack {{Equation}\quad 8} \right\rbrack\end{matrix}$

If the group key is calculated as in Equation 8, each user uses thecalculated group key to decrypt a session key received from the server.

That is, the server derives the group key K_(p) by using Equation 4,encrypts the session key by using the derived group key, and sends theencrypted session key to each user. Each user decrypts E(K_(p), k)received from the server by using the group key calculated in Equation 8as stated above, and obtains the session key.

Table 1 as below shows performance analysis based on the methodaccording to the basic exemplary embodiment of the present invention. Inthe performance analysis, an assumption is made that log N=1024, logk=128, log y_(j)=log y^(I) _(j)=b, r=2¹⁸, n=2²⁰. TABLE 1 Basic exemplaryTransmission Storage Calculation embodiment rate (kbyte) amount (kbyte)amount (bit) b, C, d logN + 2logN + (n − 1)log logN + ClogN + logky_(i) + 16d (n − 1)log y_(i) 25, 26, 10 3.39 3200.27 26, 215, 424

In Table 1, the basic exemplary embodiment of the present inventioncompensates for the collusion attack problem being the drawbacks of theconventional Fiat algorithm, accompanying a somewhat increasedtransmission rate. Therefore, five different exemplary embodiments ofthe present invention are disclosed as below to reduce transmissionrate, storage amount, and calculation amount compared to the basicexemplary embodiment.

Hereinafter, the exemplary embodiments of the present invention will beeach described with reference to the accompanying drawings.

First Exemplary Embodiment

The method according to the first exemplary embodiment of the presentinvention groups total users n (upper group) into L groups, allocates alarge random number x_(i) to each group, and allocates 1(=n/L) primes to1 users of each group, respectively, in order to compensate for theabove basic exemplary embodiment and the Fiat algorithm basicallyrequiring a lot of calculation and storage amounts. Each group uses thesame prime, but is identified and kept secure by the secret informationx_(i) of a server. Thus, the calculation and storage amounts areremarkably reduced.

Prior to description on the first exemplary embodiment of the presentinvention, definitions are made as below on coefficients necessary forthe description of the first exemplary embodiment and the secondexemplary embodiment to be later described.

-   -   U set of users with |U|=n    -   P set of privileged users with |U−P|=r    -   N: RSA composite    -   ω, ν: random numbers    -   z: a large integer    -   k: a session key    -   O: a positive integer satisfying 1<O<N    -   O_(i), . . . , O_(C): positive integers satisfying 1<O_(s)<N and        gcd(O_(s), N)=1.    -   C, d: positive integers satisfying $n < \begin{pmatrix}        c \\        d        \end{pmatrix}$    -   O₁, . . . , O _(C) : positive integers satisfying 1<O_(s)<N and        gcd(O_(s), N)=1.    -   C, d: positive integers satisfying        ${2^{m - 1}n} < \left( \frac{\overset{\_}{c}}{d} \right)$    -   usr_(i): a user in U where 1≦i≦n.    -   {σ_(i)(1), . . . , σ_(i)(d)}: a set of integer for usr_(i) where        σ_(i) is an 1-1 map from {1, . . . , d} to {1, . . . , C},        σ_(i)(s)<σ_(i)(s+1) and σ_(i)'s are distinct.    -   usr_(ij): a user in U where 1≦i≦L, 1≦j≦1 and L1=n.    -   {σ_(ij)(1), . . . , σ_(ij)(d)}: a set of integers for usr_(ij)        where σ_(ij)(s)<σ_(ij)(s+1) and σ_(ij)'s are distinct.    -   usr_(ijk): a user in U where 1≦i≦L, 1≦j≦1≦k≦m and Llm=n.    -   -        $\left\{ {{\sigma_{ijk}^{I}(1)},\ldots\quad,{\sigma_{ijk}^{I}\left( \overset{\_}{d} \right)}} \right\}$        where kεI⊂{1, . . . , m}: A set of integer for usr_(ijk) where        σ^(I) _(ijk) is an 1-1 map from {1, . . . , d} to {1, . . . ,        C}, σ^(I) _(ijk)(s)<σ^(I) _(ijk)(s+1) and σ^(I) _(ijk)'s are        distinct.    -   U_(i): {usr_(ijk)εU|1≦j<l, 1≦k≦m}    -   U_(ij): {usr_(i jk)εU|1≦k≦m}    -   K_(ij): a secret key for usr_(ij) for 1≦i≦L, 1≦j≦1 and L1=n    -   x_(i), . . . , x_(L): large integers    -   y_(i), . . . . , y₁: distinct primes    -   K_(p1), . . . , K_(PL): subgroup keys for        $P\left( {K_{pi} \equiv {\left( {\omega^{d}O} \right)^{{vx}_{i}{\prod\limits_{{usr}_{ij} \in P}\quad y_{j}}}\left( {{mod}\quad N} \right)}} \right)$

FIG. 2 is a view for conceptually showing grouping of a user set intogroups according to the first and second exemplary embodiment of thepresent invention. In FIG. 2, the user set (upper group) is grouped intoL groups. In FIG. 2, the user set is grouped into 6 groups P1(201) toP6(206).

In here, 1 users constituting each of the groups is assigned 1=n/Lprimes y1, . . . , y1. That is, the basic exemplary embodiment of thepresent invention is applied to the L user sets each having the sizeof 1. By doing so, a different group key can be derived for each group.That is, six group keys can be derived at a maximum, and Equation 9 canbe expressed for 1≦i≦L, as below. $\begin{matrix}{K_{pi} \equiv {\left( {\omega^{d}O} \right)^{{vx}_{i}{\prod\limits_{{usr}_{ij} \in P}\quad y_{j}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 9} \right\rbrack\end{matrix}$

In Equation 9, x_(i) denotes a random number used to identify individualgroups. However, the bases for individual n users have to be differentlyestablished as in the basic exemplary embodiment for security reasons.

Hereinafter, description will be made on a broadcast encryption processaccording to the first exemplary embodiment of the present invention.The broadcast encryption process according to the first exemplaryembodiment is divided into a setup step of server initialization anduser subscription, a sub-group key calculation step of calculating asub-group key shared between a server and privileged users in order todecrypt a session key, and an encrypted message broadcast step ofassigning the session key.

On the other hand, of the process, the setup step being the first stepdetermines a user's storage amount, the sub-group key calculation stepbeing the second step determines a transmission rate and a calculationamount. The encrypted message broadcast step being the third stepencrypts a session key with the shared sub-group key and sends theencrypted session key.

In the setup step, the server produces N, x_(i), y_(i), C, d, O_(s), andσ_(ij) for all i, j, and s, as initialization values. Next, the serverproduces secret information K_(ij) of each user of a corresponding groupin order to calculate a group key for each user usr_(ij), using Equation10 as follows. $\begin{matrix}{K_{ij} \equiv {\left( {O_{\sigma_{{ij}_{(1)}}}\quad\ldots\quad O_{\sigma_{{ij}_{(d)}}}O} \right)^{{zx}_{i}y_{j}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 10} \right\rbrack\end{matrix}$

In FIG. 10, it can be seen that σ_(σ) _(ij) (1), . . . , O_(σ) _(ij)(d)O is used as a base for the secret information K_(ij) of each user ofa corresponding group as stated above. In here, as stated above, O_(σ)_(ij) (1), . . . , O_(σ) _(ij)(d) is a base group produced throughcombinations of more-than-one integers of plural different integers(that is, coprimes), and each user of a corresponding group has adifferent combination. The combination is identified by an index σ_(ij)of O. Further, O is one of the integers, which is commonly included inthe bases for all users. Thus, each user calculates a group key value byeliminating the base group from the secret information K_(ij) bycalculations to be later described.

On the other hand, the server sends the produced value K_(ij) toindividual users usr_(ij) through security channels. Here, N, y_(i), andσ_(ij) for all i and j are provided.

Further, the individual users usr_(ij) store N, {y_(s)|1≦s≠j≦l}, andσ_(ij), including the value K_(ij) sent from the server.

The first exemplary embodiment uses values of integer combinations asbases of the secret information sent to the users of each group, as inthe basic exemplary embodiment.

Thus, the first step completely ends, the second step is performed, asbelow, to calculate sub-group keys, that is, group keys for individualgroups.

First, the server produces the ω and ν, calculates and broadcasts V byusing Equation 6.

Next, the server calculates and broadcasts ${\overset{- i}{O}}_{s}$for 1≦i≦L and 1≦s≦C, using Equation 11 as below. $\begin{matrix}{{\overset{- i}{O}}_{s} \equiv {\left( {\omega^{- 1}O_{s}} \right)^{{- {vx}_{i}}{\prod\limits_{{usr}_{ij} \in P}\quad y_{j}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 11} \right\rbrack\end{matrix}$

In here, the ${\overset{- i}{O}}_{s}$becomes an inverse-base parameter value for eliminating a base group ofthe received secret information in order to derive a group key for eachuser.

In Equation 11, the inverse-base parameter value has each integer O_(s)as a base used for producing the base group, and also has as exponentkey value information of each user allocated to all privileged users P.In here, the first exemplary embodiment has the exponent part of theinverse-base parameter value containing a random value x_(i) allocatedto each group.

On the other hand, ω and ν calculated in the base and exponent parts ofthe inverse-base parameter value are random values produced by theserver as stated above in the basic exemplary embodiment, which areproduced at every transmission to send the inverse-base parameter valuesafely for security reasons and used in calculations of the inverse-baseparameter value.

Likewise, the value ν is calculated together with a server's own randomvalue z as stated in detail in Equation 6, and separately sent to allusers.

On the other hand, each user usr_(ij) calculates a sub-group key valueK_(pi) for each group i by using the values broadcast from the serverand the stored values by using Equation 12. $\begin{matrix}{K_{Pi} = {\left( {{\overset{- i}{O}}_{\sigma_{ij}{(1)}}\quad\ldots\quad{\overset{- i}{O}}_{\sigma_{ij}{(d)}}} \right) \times {K_{ij}^{V{\prod\limits_{{usr}_{is} \in {P - {({usr}_{ij})}}}\quad y_{s}}}\left( {{mod}\quad N} \right)}}} & \left\lbrack {{Equation}\quad 12} \right\rbrack\end{matrix}$

If the group key is calculated as shown in Equation 12, each userdecrypts the session key received from the server by using thecalculated group key, that is, a sub-group key for each group.

That is, the server derives the group key K_(Pi) by use of Equation 9,encrypts a session key k with the derived group key, and sends E(K_(Pi),k) to each user. As stated above, each user decrypts E(K_(Pi), k)received from the server with the group key calculated in Equation 12,and obtains a session key.

Table 2 shows performance analysis based on the method according to thefirst exemplary embodiment of the present invention. In the performanceanalysis, an assumption will be made that log N=1024, log k=128, logy_(i)=log y^(I) _(j)=b, r=2¹⁸, and n=2²⁰. TABLE 2 First exemplaryTransmission Storage calculation embodiment rate (kbyte) amount (kbyte)amount (bit) b, l, C, d log N + C log 2 log N + (l − 1) log log N + N +L log k y_(i) + 16d (l − 1) log y_(i) 13, 512, 26, 10 6688.12 1.08 7,66714, 1024, 26, 10 3344.12 2.02 15,356 15, 2048, 26, 10 1672.12 4.0231,729

In Table 2, the first exemplary embodiment of the present inventiongroups individual users into L groups and derives a sub-group key foreach group, so as to reduce the calculation and storage amounts.

Second Exemplary Embodiment

The method according to a second exemplary embodiment of the presentinvention separately calculates and sends the exponent and base parts ofthe inverse-base parameter value in order to reduce the increasedtransmission rate of the first exemplary embodiment. The base part isprotected by the random numbers ω and ν, and the exponent part isprotected by the server's secret information xi and the random numberco. By doing so, the transmission rate can be reduced.

Hereinafter, description will be made of a broadcast encryption processaccording to the second exemplary embodiment of the present invention.The broadcast encryption process according to the second exemplaryembodiment is divided into a setup step of server initialization anduser subscription, a sub-group key calculation step of calculating asub-group key shared between a server and privileged users in order todecrypt a session key, and an encrypted message broadcast step ofassigning the session key.

On the other hand, of the process, the setup step being the first stepdetermines a user's storage amount, the sub-group key calculation stepbeing the second step determines a transmission rate and a calculationamount. The encrypted message broadcast step being the third stepencrypts a session key with the shared sub-group key and sends theencrypted session key.

First, the setup step as the first step is the same as in the firstexemplary embodiment. Therefore, detailed description on the setup stepwill be omitted.

The first step completely ends, and the second step is performed, asbelow, to calculate sub-group keys.

First, the server produces the ω and ν, calculates and broadcasts V byusing Equation 6.

Next, the server calculates and broadcasts the base part O_(s) of theinverse-base parameter value, using Equation 13 as follows.O _(s)≡(ωO _(s) ⁻¹)^(νω) ⁻¹ (mod N)  [Equation 13]

Further, the server calculates and broadcasts the exponent part es ofthe inverse-base parameter value for 1≦i≦L by using Equation 14 asfollows, according to the second exemplary embodiment of the presentinvention. $\begin{matrix}{e_{i} \equiv {\omega\quad x_{i}{\prod\limits_{{usr}_{ij}^{\in P}}\quad{y_{j}\left( {{mod}\quad{\phi(N)}} \right)}}}} & \left\lbrack {{Equation}\quad 14} \right\rbrack\end{matrix}$

On the other hand, each user usr_(ij) calculates a sub-group key valueK_(Pi) for each group i by using the values broadcast from the serverand the stored values by using Equation 15 as below. $\begin{matrix}{K_{Pi} = {\left( {\overset{\_}{O_{{\sigma\quad}_{{ij}{(1)}}}}\quad\ldots\quad\overset{\_}{{O_{\sigma}}_{{ij}{(d)}}}} \right)^{e_{i}} \times K_{ij}^{v}{\prod\limits_{{usr}_{is}^{\in {P - {({usr}_{ij})}}}}\quad{y_{s}\left( {{mod}\quad N} \right)}}}} & \left\lbrack {{Equation}\quad 15} \right\rbrack\end{matrix}$

If the group key is calculated as shown in Equation 15, each userdecrypts a session key received from the server by using the calculatedgroup key.

That is, the server derives the group key K_(Pi) by use of Equation 9,encrypts a session key k with the derived group key, and sends E(K_(Pi),k) to each user. As stated above, each user decrypts the E(K_(Pi), k)received from the server with the group key calculated in Equation 15,and obtains the session key.

Table 3 shows performance analysis based on the method according to thesecond exemplary embodiment of the present invention. In the performanceanalysis, an assumption will be made that log N=1024, log k=128, logy_(i)=log y^(I) _(j)=b, r=2¹⁸, and n=2²⁰. TABLE 3 Second exemplaryTransmission Storage calculation embodiment rate (kbyte) amount (kbyte)amount (bit) b, l, C, d log N + C log 2 log N + (l − 1) log 2 log N +N + L log y_(i) + 16d (l − 1) log y_(i) N + L log k 13, 512, 26, 10291.37 1.08 8,691 14, 1024, 26, 10 147.37 2.02 16,370 15, 2048, 26, 1075.37 4.02 31,733

In Table 3, the second exemplary embodiment of the present inventionseparately calculates the exponent and base parts of transmission dataso as to remarkably reduce the transmission rate.

So far, description has been made on the first and second exemplaryembodiments of the present invention with reference to FIG. 2.Hereinafter, the third to fifth exemplary embodiments of the presentinvention will be described with reference to FIG. 3 to FIG. 6.

Third Exemplary Embodiment

The method according to the third exemplary embodiment of the presentinvention groups an 1-users' group obtained in the first exemplaryembodiment into m-users' groups again in order to reduce the calculationamount more than the above exemplary embodiments. As in the firstexemplary embodiment, each of the L groups has a group key, but thethird exemplary embodiment to be later discussed allocates an allocatedprime to every m users.

Further, all subsets to an m-users' set are assigned a prime in orderthat revocators can be dealt with in all possible circumstances, and auser additionally stores user's secret information in all possiblecircumstances. Therefore, there occurs an effect of reduction to one-mthof the calculation amount.

Prior to the description of the third exemplary embodiment of thepresent invention, definitions are made as below on coefficientsnecessary for the description of the third exemplary embodiment and thefourth and fifth exemplary embodiments to be later described.

-   -   U: set of users with |U|=n    -   P: set of privileged users with |U−P=r    -   N: RSA composite    -   ω, ν: random numbers    -   z: a large integer    -   k: a session key    -   O: a positive integer satisfying 1<O<N    -   O₁, . . . , O_(C): positive integers satisfying 1<O_(s)<N and        gcd(O_(s), N)=1.    -   C, d: positive integers satisfying $n < \begin{pmatrix}        c \\        d        \end{pmatrix}$    -   O₁, . . . , O _(C) : positive integers satisfying 1<O_(s)<N and        gcd(O_(s), N)=1.    -   C, d: positive integers satisfying        ${2^{m - 1}n} < \left( \frac{\overset{\_}{c}}{d} \right)$    -   usr_(i): a user in U where 1≦i≦n.    -   {σ_(i)(1), . . . , σ_(i)(d)}: a set of integer for usr_(i) where        σ_(i) is an 1-1 map from {1, . . . , d} to {1, . . . , C},        σ_(i)(s)<σ_(i)(s+1) and σ_(i)'s are distinct.    -   usr_(ij): a user in U where 1≦i≦L, 1≦j≦1 and L1=n. {σ_(ij)(1), .        . . , σ_(ij)(d)}: A set of integers for usr_(ij) where σ_(ij) is        an 1-1 map from {1, . . . , d} to {1, . . . , C},        σ_(ij)(s)<σ_(ij)(s+1) and σ_(ij)'s are distinct.    -   usr_(ijk): a user in U where 1≦i≦L, 1≦j≦1, 1≦k≦m and Llm=n.    -   -        $\left\{ {{\sigma_{ijk}^{I}(1)},\ldots\quad,{\sigma_{ijk}^{I}\left( \overset{\_}{d} \right)}} \right\}\quad$        where kεI⊂{1, . . . , m}: a set of integer for usr_(ijk) where        σ^(I) _(ijk) is an 1-1 map from {1, . . . , d} to {1, . . . ,        C}, σ^(I) _(ijk)(s)<σ^(I) _(ijk)(s+1) and σ^(I) _(ijk)'s are        distinct.    -   U_(i): {usr_(i jk)εU|1≦j≦1, 1≦k≦m}    -   U_(ij): {usr_(i jk)εU|1≦k≦m}    -   K_(ij) ^(I): where I⊂{1, . . . , m}: A secret key for usr_(ijk)        for 1≦i≦L, 1≦j≦1 and Llm=n    -   x_(i), . . . , x_(L) large integers    -   y^(I) _(j): distinct primes for 1≦j≦1 and nonempty subset I of        {1, . . . , m}(where y^(Φ) _(j)=1)    -   I_(ij)={k|usr_(ijk)εP∩U_(ij)}    -   K_(P1), . . . , K_(PL): subgroup keys for        $P\left( {K_{pi} \equiv {\left( {\omega^{d}O} \right)^{{vx}_{i}{\prod\limits_{j}\quad y_{j}^{I_{ij}}}}\left( {{mod}\quad N} \right)}} \right)$

FIG. 3 is a view for conceptually showing re-grouping of a user groupinto sub-groups according to the third, fourth, and fifth exemplaryembodiments of the present invention. In FIG. 3, the user set is groupedinto L groups as in FIG. 2. In FIG. 3, the user set is grouped into 6groups P1(301) to P6(306). Next, each group is re-grouped into pluralsub-groups according to the third exemplary embodiment of the presentinvention. As stated above, the L groups each have a group key as in thefirst exemplary embodiment, but the third exemplary embodiment allocateseach assigned prime to every m users.

FIG. 4 is a view for showing a method of re-grouping a user group intoplural sub-groups according to the third exemplary embodiment of thepresent invention and the fourth and fifth exemplary embodiments of thepresent invention to be later described. In FIG. 4, users are dividedinto U₁ to U₆ 410 to 460, and each group is re-divided into pluralsub-groups. For example, the group U₆ 460 is re-grouped into sub-groupsU₆₁ 461, U₆₂ 462, U₆₃ 463, and U₆₄ 464.

Further, all subsets to an m-users' set are assigned a prime in orderthat revocators can be dealt with in all possible circumstances, and auser additionally stores user's secret information in all possiblecircumstances. On the other hand, the group key can be derived inEquation 16 as below according to the third exemplary embodiment of thepresent invention. $\begin{matrix}{K_{pi} = {\left( {\omega^{d}O} \right)^{{vx}_{i}{\prod\limits_{j}\quad y_{j}^{I_{ij}}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 16} \right\rbrack\end{matrix}$

Hereinafter, description will be made on a broadcast encryption processaccording to the third exemplary embodiment of the present invention.The broadcast encryption process according to the third exemplaryembodiment is divided into a setup step of server initialization anduser subscription, a sub-group key calculation step of calculating asub-group key shared between a server and privileged users in order todecrypt a session key, and an encrypted message broadcast step ofassigning the session key.

On the other hand, of the process, the setup step being the first stepdetermines a user's storage amount, the sub-group key calculation stepbeing the second step determines a transmission rate and a calculationamount. The encrypted message broadcast step being the third stepencrypts a session key with the shared sub-group key and sends theencrypted session key.

In the setup step, the server produces N, x_(i), y^(I) _(i), C, d, O,O_(s), and σ^(I) _(ijk) for all i, j, k, I and s, as initializationvalues. Next, the server produces secret information K^(I) _(ijk) ofeach user usr_(ijk) for all I including k and all of i, j, and k, inorder to calculate a sub-group key, using Equation 17. $\begin{matrix}{K_{ijk}^{I} \equiv {\left( {O_{\sigma_{{ijk}{(1)}}^{I}}\quad\ldots\quad O_{\sigma_{{ijk}{(d)}}^{I}}O} \right)^{{zx}_{i}y_{j}^{I}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 17} \right\rbrack\end{matrix}$

The server sends the produced user's secret information value K^(I)_(ijk) to individual users usr_(ijk) through security channels. In here,N, y^(I) _(j), and σ^(I) _(ijk) for all i, j, and k are provided.

Further, the individual users usr_(ijk) store N, {y^(I) _(s), |1≦s≠j<1,all I}, and σ^(I) _(ijk) for all I including the value k, including a{K^(I) _(ijk)|all I including k} value sent from the server.

Thus, the first step completely ends, the second step is performed, asbelow, to calculate sub-group keys.

First, the server produces the ω and ν, and calculates and broadcasts Vby Equation 6.

Next, the server calculates and broadcasts the base part O _(s) of theinverse-base parameter value for 1≦s≦ C, using Equation 18 as below.O ≡(ωO _(s) ⁻¹)^(νω) ⁻¹ (mod N)  [Equation 18]

Further, the exponent part e_(i) of the inverse-base parameter value iscalculated and broadcast for 1≦i≦L by using Equation 19 according to thethird exemplary embodiment of the present invention. $\begin{matrix}{e_{i} \equiv {\omega\quad x_{i}{\prod\limits_{j}\quad{y_{j}^{I_{ij}}\left( {{mod}\quad{\phi(N)}} \right)}}}} & \left\lbrack {{Equation}\quad 19} \right\rbrack\end{matrix}$

On the other hand, each user usr_(ijk) calculates a sub-group key valueK_(Pi) of each sub-group by using Equation 20 as below, using the valuesbroadcast from the server and the stored values. $\begin{matrix}{K_{Pi} = {\left( {{{\overset{\_}{O}}_{\sigma_{ijk}^{I_{ij}}}(1)}\quad\ldots\quad{{\overset{\_}{O}}_{\sigma_{ijk}^{I_{ij}}}\left( \overset{\_}{d} \right)}} \right)^{e_{i}} \times \left( K_{ijk}^{I_{ij}} \right)^{V{\prod\limits_{s \neq j}\quad y_{s}^{I_{is}}}}\left( {{mod}\quad N} \right)}} & \left\lbrack {{Equation}\quad 20} \right\rbrack\end{matrix}$

If a group key is calculated in Equation 20, each user decrypts asession key received from the server by using the calculated group key,that is, the sub-group key for each group.

That is, the server derives a group key K_(Pi) by using Equation 16, andencrypts the session key k with the derived group key and sendsE(K_(Pi), k) to each user. In here, each user decrypts the E(KPi, k)received from the server by using the group key calculated by usingEquation 20 and obtains the session key, as above.

Table 4 shows performance analysis based on the method according to thethird exemplary embodiment of the present invention. In the performanceanalysis, an assumption will be made that log N=1024, log k=128, logy_(i)=log y^(I) _(j)=b, r=2¹⁸, and n=2²⁰. TABLE 4 Third exemplaryTransmission Storage Calculation embodiment rate (kbyte) amount (kbyte)amount (bit) b, l, m, C, d log N + C log (2^(m−1) + 1)log N + 2 log N +N + L log (2^(m−1) − 1)(l − 1) log (l − 1) log y^(I) _(i) N + L log ky^(I) _(i) + 2^(m−1) 16d 13, 256, 2, 26, 12 291.37 1.63 5,363 15, 128,4, 28, 12 291.62 4.80 3,953 14, 512, 2, 26, 12 147.37 3.04 9,202 16,256, 4, 28, 12 147.62 8.78 6,128 16, 1024, 2, 26, 12 75.37 6.42 18,41617, 512, 4, 28, 12 75.62 17.22 10,735

In Table 4, the third exemplary embodiment of the present invention canreduce the number of primes used as power of exponent by users in orderto reduce the calculation amounts of the above exemplary embodiments.That is, as stated above, each of L groups is re-grouped into m-usersgroups. Therefore, n m-users groups become an n/L-users' group, andthere exist L groups as such groups as above, accordingly. As a result,maximum (n/L)/m−1 primes can be used instead of maximum n/L-1 primes asa power of exponent in the second exemplary embodiment. To do this,there has to be primes corresponding to all subsets rather than a nullset of m-users' groups, so that the calculation amount as above can beremarkably reduced. That is, when m has a value ranging from 2 to 6, thecalculation amount can be remarkably reduced. Further, since the numberof primes only increases, any problem for security does not occur.

Fourth Exemplary Embodiment

The fourth exemplary embodiment of the present invention can reduce thetransmission amount further by enabling a corresponding group to shareinformation that a server produces and users share, if there is norevocators from specific groups of the L groups in the third exemplaryembodiment.

Therefore, a sub-group key value can be defined as in Equation 21 in thefourth exemplary embodiment and the fifth exemplary embodiment, whichwill be later discussed, of the present invention. $\begin{matrix}{K_{Pi} \equiv \begin{pmatrix}\left( {\omega^{d}O} \right)^{{vx}_{i}\Pi\quad y_{j}^{l_{ij}}} & {{{if}\quad U_{i}} ⊄ P} \\{{is}\quad{generated}\quad{by}\quad{the}\quad{server}} & {otherwise}\end{pmatrix}} & \left\lbrack {{Equation}\quad 21} \right\rbrack\end{matrix}$

Hereinafter, description will be made on a broadcast encryption processaccording to the fourth exemplary embodiment of the present invention.The broadcast encryption process according to the fourth exemplaryembodiment is divided, like the basic exemplary embodiment, into a setupstep of server initialization and user subscription, a sub-group keycalculation step of calculating a sub-group key shared between a serverand privileged users in order to decrypt a session key, and an encryptedmessage broadcast step of assigning the session key.

In the setup step, the server produces N, x_(i), y^(I) _(i), c, d, O,O_(s), and σ^(I) _(ijk) for all i, j, k and s, as initialization valuesas in the third exemplary embodiment. Next, the server produces secretinformation K^(I) _(ijk) of each user usr_(ijk) for all I including kand all of i, j, and k, in order to calculate a sub-group key, usingEquation 17.

Further, in the fourth exemplary embodiment of the present invention,the server additionally produces information K_(U) _(i) produced by theserver and shared by users for all i.

The server sends the produced values K^(I) _(ijk) and K_(U) _(i) toindividual users usr_(ijk) for all I including k through securitychannels. Here, N, y^(I) _(j), and σ^(I) _(ijk) for all i, j, I, and kare provided.

Further, the individual users usr_(ijk) store K_(U) _(i) , N, {y^(I)_(s)|1≦s≠j≦1, all I)}, and σ^(I) _(ijk) for all I including the value k,including a value {K^(I) _(ijk)|all I including k} sent from the server.

Thus, the first step completely ends, the second step is performed, asbelow, to calculate a sub-group key.

First, the server produces the ω and ν, and calculates and broadcasts Vby using Equation 6.

Next, the server calculates and broadcasts the base part O _(s) of theinverse-base parameter value for 1≦s≦ C, using Equation 18 described inthe third exemplary embodiment.

Next, if U_(i) does not belong to P for 1≦i≦L, that is, there existrevocators in a specific group, according to the fourth exemplaryembodiment of the present invention, the exponent part e_(i) iscalculated and broadcast for 1≦i≦L by Equation 19 of the third exemplaryembodiment of the present invention.

Thus, each user usr_(ijk) of a group received with e_(i) since U_(i)does not belong to P calculates a sub-group key value K_(Pi) of eachsub-group by using Equation 20, using the values broadcast from theserver and the stored values. On the other hand, if there does not existrevocators in a specific group of the L groups, the value K_(U) _(i) isused which is produced in the first step and shared with users.

FIG. 5 is a view for showing a message format sent to each groupaccording to the fourth exemplary embodiment of the present invention.In FIG. 5, a message sent to each user contains an index 500, thesub-group key value 510, and content information 520 encrypted by thekey value. In here, the index 500 contains an L-bit revocatorinformation field 510 containing information of whether there existrevocators by group and data fields 502 and 503 given to each group notincluded in P. Further, the data fields 502 and 503 given to each groupnot included in P can have a 1-bit field 504 denoting whether to belongto P out of one small user group U_(ij) and m-bit fields 505 and 506denoting primes used out of 2^(m−1) primes y_(i) ^(j).

In here, the 1-bit field 504 denoting whether to belong to P out of onesmall user group U_(ij) is 0 therein if belonging to P out of one smalluser group U_(ij). Otherwise, the 1-bit field 504 is 1. Further, thefields denoting used primes have numbers to the primes based on an indexi.

Table 5 shows performance analysis based on the method according to thefourth exemplary embodiment of the present invention. In the performanceanalysis, an assumption will be made that log N=1024, log k=128, logy_(i)=log y^(I) _(j)=b, r=2¹⁸, and n=2²⁰. TABLE 5 Fourth exemplaryTransmission Storage Calculation embodiment rate (kbyte) amount (kbyte)amount (bit) b, l, m, C, d log N + C log (2^(m−1) + 2)log N + 2 log N +N + min(L, r)log (2^(m−1) − 1)(l − 1) (l − 1 ) N + L log k log y^(I)_(i) + 2^(m−1) 16d log y^(I) 13, 256, 2, 26, 12 291.37(35.37) 1.76 5,36315, 128, 4, 28, 12 291.37(35.62) 4.93 3,953 14, 512, 2, 26, 12147.37(19.37) 3.17 9,202 16, 256, 4, 28, 12 147.62(19.62) 8.91 6,128 16,1024, 2, 26, 12  75.37(11.37) 6.54 18,416 17, 512, 4, 28, 12 75.62(11.62) 17.34 10,735

In Table 5, in the third exemplary embodiment, the transmission rateremains the same even when revocators are decreased, but, in the fourthexemplary embodiment, the transmission rate decreases when r<L at themaximum value thereof. The values in parentheses in the transmissionrates of Table 5 become values when r approaches at 0.

Fifth Exemplary Embodiment

In the third and fourth exemplary embodiments, users can store the primey^(I) _(j) used for exponent computations as above, but the transmissionrate does not increase greatly even though sent every time since thetransmission rate is small. On the contrary, since the storage amountcan be reduced, the fifth exemplary embodiment of the present inventionproposes a method modified in a format of sending the prime y^(I) _(j)every time.

FIG. 6 is a view for showing grouping of individual users according tothe fifth exemplary embodiment of the present invention. In FIG. 6, thewhole users (that is, upper group) can be grouped into groups U₁ to U₄(610 to 640), and each group is grouped again into sub-groups. Forexample, the group U₁ (610) is re-grouped into sub-groups U₁₁ (611) andU₁₂ (612). In here, U₁₁ (611) includes usr₁₁₁ and usr₁₁₂.

Hereinafter, description will be made on a broadcast encryption processaccording to the fifth exemplary embodiment of the present invention.The broadcast encryption process according to the fourth exemplaryembodiment is divided, like the basic exemplary embodiment, into a setupstep of server initialization and user subscription, a sub-group keycalculation step of calculating a sub-group key shared between a serverand privileged users in order to decrypt a session key, and an encryptedmessage broadcast step of assigning the session key.

In the setup step, the server produces N, x_(i), y^(I) _(i), C, d, O,O_(s), and σ^(I) _(ijk) for all i, j, k and s, as initialization valuesas in the fourth exemplary embodiment. Next, the server produces secretinformation K^(I) _(ijk) of each user usr_(ijk) for all I including kand for all of i, j, and k, in order to calculate a sub-group key ofeach user usr_(ijk), using Equation 17.

The server sends the produced values K^(I) _(ijk) to individual usersusr_(ijk) for all I including k through security channels. In here, Nand σ^(I) _(ijk) for all i, j, I, and k are provided.

Further, the individual users usr_(ijk) store σ^(I) _(ijk) for all Iincluding N and k, including a value {K^(I) _(ijk)|all I including k}sent from the server.

Thus, the first step completely ends, and the second step is performed,as below, to calculate a sub-group key.

First, the server produces the ω and ν, and calculates and broadcasts Vby using Equation 6.

Next, the server calculates and broadcasts the base part O _(s) of theinverse-base parameter value for 1≦s≦C, using Equation 18 described inthe third exemplary embodiment.

The server broadcasts y^(I) _(j) for all subsets I of 1≦j≦1 and {1, . .. , m} according to the fifth exemplary embodiment of the presentinvention.

If the sub-group key is calculated in the second step as above, theserver encrypts the broadcast message by the sub-group key and sends theencrypted message to each user in the third step as in the aboveexemplary embodiments, and each user who receives the message decryptsthe received message by the calculated group key.

That is, the server produces, encrypts a message k for each group byusing the sub-group key K_(Pi), and sends E(K_(Pi), k) to each user.Each user decrypts the received E(KPi, k) by the calculated sub-groupkey value.

The performance analysis according to the fifth exemplary embodiment ofthe present invention is as below. An assumption will be made that logN=1024, log k=128, log y_(i)=log y^(I) _(j)=b, r=2⁸, and n=2²⁰. TABLE 6Fifth exemplary Transmission Storage Calculation embodiment rate (kbyte)amount (kbyte) amount (bit) b, l, m, C, d log N + C log (2^(m−1) + 2)logN + 2 log N + N + min(L, r)log (2^(m−1) − 1)(l − 1) (l − 1) N + L log klog y^(I) _(i) + 2^(m−1) 16d log y^(I) _(i) 13, 256, 2, 26, 12292.59(36.59) 0.55 5,363 15, 128, 4, 28, 12 295.14(39.14) 1.44 3,953 16,86, 6, 30, 14 300.20(46.20) 5.13 3,408 14, 512, 2, 26, 14 150.00(22.00)0.55 9,202 16, 256, 4, 28, 12 155.12(27.12) 1.44 6,128 18, 171, 6, 30,14 171.26(43.51) 5.13 5,108 16, 1024, 2, 26, 12  81.37(17.37) 0.5518,416 17, 512, 4, 28, 12  91.56(27.56) 1.44 10,735 19, 342, 6, 30, 14125.70(61.83) 5.13 8,527

In Table 6, the fifth exemplary embodiment of the present invention canreduce the storage amount by sending the prime Y^(I) _(i) every timeinstead of storing the prime Y^(I) _(i) that is used for the exponentcalculation in the third and fourth exemplary embodiments.

Hereinafter, description will be made, with reference to FIG. 7 to FIG.9, on a message transmission process according to the basic and first tofifth exemplary embodiments of the present invention.

FIG. 7 is a flow chart for showing a process for assigning a key foreach user according to the basic exemplary embodiment of the presentinvention. In FIG. 7, each user is assigned a different value as a baseaccording to the basic exemplary embodiment of the present invention(S701). As stated above, the base is produced through combinations andassigned. Next, values are initialized to derive a group key (S702), andthe group key is derived through combinations of different bases (S703).Lastly, a session key is assigned, and a broadcast message is sent(S704), so that the broadcast message transmission process ends.

FIG. 8 is a flow chart for showing a process for assigning a key foreach user according to the first and second exemplary embodiments of thepresent invention. In FIG. 8, each user set is grouped into L groupsaccording to the first and second exemplary embodiments of the presentinvention (S801). Next, each group is assigned a random number Xi(S802). Next, n/L primes are allocated to users of each group (S803),and L sub-group keys are derived (S804).

FIG. 9 is a flow chart for showing a process for assigning a key foreach user according to the third, fourth, and fifth exemplaryembodiments of the present invention. In FIG. 9, each user set isgrouped into L groups according to the third to fifth exemplaryembodiments of the present invention (S901). Next, each group of oneuser is grouped again into groups of m users (S902). The primesallocated to individual users are assigned to every group of m users(S903), and L sub-group keys are derived (S904).

Hereinafter, the present exemplary embodiments and prior art arecompared in terms of performance by using graphs with reference to FIG.10 and FIG. 11.

FIG. 10 is a graph for comparing transmission overheads of the presentexemplary embodiment to those of prior art. In FIG. 10, it can be seenthat the methods 1001, 1002, and 1003 of the present exemplaryembodiments remarkably decreases the transmission overheads compared toprior art, for example, IBM's SD algorithm 1004, as the number ofrevocators increases.

FIG. 11 is a graph for comparing the index overheads of the presentexemplary embodiments to those of prior art. In FIG. 11, it can be seenthat the method 1101 according to the exemplary embodiment of thepresent invention remarkably decreases the index overheads compared toprior art, for example, IBM's SD algorithm 1102, as the number ofrevocators increases.

As aforementioned, in order to overcome the disclosure of theconventional broadcast encryption method to collusion attacks, thepresent invention assigns each user a base of a different combination,thereby having an advantage of security. Further, the diverse exemplaryembodiments of the present invention can remarkably reduce the storageamount, transmission rate, calculation amount, and so on, necessary forbroadcast encryptions.

The foregoing exemplary embodiments and advantages are merely exemplaryand are not to be construed as limiting the present invention. Thepresent teaching can be readily applied to other types of apparatuses.Also, the description of the exemplary embodiments of the presentinvention is intended to be illustrative, and not to limit the scope ofthe claims, and many alternatives, modifications, and variations will beapparent to those skilled in the art.

1. A broadcast encryption method comprising: generating a base groupthrough combinations of integers out of a plurality of differentintegers having values greater than 1, and assigning the base group ofdifferent combinations to each user of a plurality of users; generatingsecret information for each user through calculations with key valueinformation allocated to a corresponding user by using the base groupallocated to each user as a base, and sending the secret information toeach user; generating an inverse-base parameter value throughcalculations with an integer used to produce the base group and keyvalue information of at least one privileged user, and sending theproduced inverse-base parameter value to each user, in order for onlythe at least one privileged user of the plurality of users to eliminatethe base group from the secret information; and deriving a group keybased on the key value information of the privileged users, encrypting asession key with the derived group key and sending the encrypted sessionkey to each user.
 2. The method as claimed in claim 1, wherein theintegers for the generating the base group are coprimes.
 3. The methodas claimed in claim 1, wherein the inverse-base parameter value isgenerated with at least one random number.
 4. The method as claimed inclaim 3, wherein the at least one random number is used for the derivingthe group key.
 5. The method as claimed in claim 1, wherein the secretinformation for each user is generated with a random value.
 6. Themethod as claimed in claim 3, wherein the at least one random number issent to each user.
 7. The method as claimed in claim 1, wherein the baseof the secret information for each user contains the base groupallocated to each user and a common integer commonly used for all users,and the group key is derived to have the base of the common integer. 8.The method as claimed in claim 1, further comprising sending, to eachuser, information of combinations for generating a corresponding basegroup.
 9. The method as claimed in claim 1, further comprising sendinginformation of a key value allocated to a user every time a broadcastmessage is sent.
 10. A broadcast encryption method comprising: grouping,by a server, into a plurality of groups one upper group of a pluralityof users receiving a broadcast message, and assigning a key value tocorresponding users of each group; generating a base group for eachgroup through combinations of integers of a plurality of differentintegers having values greater than 1, and assigning users of each groupthe base group produced through a different combination; generatingsecret information for each user through calculations with key valueinformation allocated to a corresponding user of each group by using thebase group allocated to each user as a base, and sending the secretinformation to each user; generating an inverse-base parameter valuethrough calculations with integers used to produce the base group andkey value information of at least one privileged user, and sending theinverse-base parameter value to users of a corresponding group, in orderfor only the at least one privileged user of the plurality of users toeliminate the base group from the secret information; and deriving agroup key for each group with the key value information of the at leastone privileged user, encrypting a session key with the group key, andsending the encrypted session key to each user.
 11. The method asclaimed in claim 10, wherein a random number is assigned to each group,and the random number is used in calculating the secret information ofeach user to be sent to the users of each group.
 12. The method asclaimed in claim 11, wherein a random number assigned to a correspondinggroup is used in the generating the inverse-base parameter value. 13.The method as claimed in claim 11, wherein the group key for each groupis generated with a random number assigned to a corresponding group. 14.The method as claimed in claim 10, wherein integers used for thegenerating the base group are coprimes.
 15. The method as claimed inclaim 10, wherein the inverse-base parameter value is generated with atleast one random number.
 16. The method as claimed in claim 15, whereinat least one random number is used for the deriving of the group key.17. The method as claimed in claim 10, wherein the server produces it'sown random number which is used for the generating the secretinformation for each user.
 18. The method as claimed in claim 15,wherein the at least one random number is generated with the server'sown random number, and sent to each user.
 19. The method as claimed inclaim 10, wherein the base of the secret information for each usercontains a base group assigned to each user and a common integercommonly used for all users, and the group key is derived based on thecommon integer.
 20. The method as claimed in claim 10, wherein theserver sends, to each user, the information of combinations forproducing a corresponding base group.
 21. The method as claimed in claim10, wherein the server separately calculates an exponent part and a basepart in the generating the inverse-base parameter value, and separatelysends the exponent part and base part of the inverse-base parametervalue.
 22. The method as claimed in claim 10, wherein each group is,grouped to a plurality of sub-groups, a key value is assigned to usersof each sub-group, and secret information for each user is generatedthrough calculations with key value information assigned to users ofeach sub-group.
 23. The method as claimed in claim 10, wherein, if thereare no unauthorized users in a specific group of the groups, a separatekey value assigned to each group is established as a group key for thecorresponding group.
 24. The method as claimed in claim 10, wherein theserver sends the key value information assigned to the users every timethe server sends the broadcast message.
 25. A broadcast encryptionmethod comprising: generating a base group through combinations ofintegers of a plurality of different integers having values greater than1, and allocating the base group generated through differentcombinations to each user of a plurality of users; generating secretinformation for each user through calculations with a key valueinformation allocated to a corresponding user based on the base groupallocated to each user, and receiving by each user the secretinformation; generating an inverse-base parameter value throughcalculations with integers used to produce the base group and the keyvalue information of one or more privileged users, and receiving by eachof the users the produced inverse-base parameter value, in order foronly the privileged users of the plurality of users to eliminate thebase group from the secret information; generating a group key by usingthe secret information for each user received from the server and theinverse-base parameter value; and decrypting a session key received fromthe server by using the group key.
 26. The method as claimed in claim25, wherein the integers for the generating the base group are coprimes.27. The method as claimed in claim 26, wherein the inverse-baseparameter value is calculated with at least one random number.
 28. Themethod as claimed in claim 27, wherein the at least one random number isused for the deriving the group key.
 29. The method as claimed in claim25, wherein the server produces it's own random number which is used inthe generating the secret information.
 30. The method as claimed inclaim 29, wherein at least one random number is calculated with theserver's own random number, and then received from the server.
 31. Themethod as claimed in claim 25, wherein a base of the produced secretinformation for each user contains the base group assigned to each userand a common integer commonly used for all users, and the group key isderived by using the common integer as a base.
 32. The method as claimedin claim 25, wherein each user receives, from the server, information ofa combination for generating the corresponding base group.
 33. Themethod as claimed in claim 25, wherein the information of the key valueassigned to each user is received from the server every time thebroadcast message is sent.
 34. A broadcast encryption method comprising:grouping into a plurality of groups one upper group having a pluralityof users receiving a broadcast message, and assigning a key value tousers of each group; generating a base group for each group throughcombinations of integers of a plurality of different integers havingvalues greater than 1, and assigning each user of each group the basegroup produced through a different combination; generating secretinformation for each user through calculations with key valueinformation assigned to users of each group by using as a base the basegroup assigned to each user, and receiving by each user from a serverthe produced secret information for each user; generating aninverse-base parameter value through calculations with the integers usedto produce the base group and the key value information of at least oneprivileged user of the plurality of users, and receiving from the serverthe inverse-base parameter value by users of each corresponding group,in order for only the at least one privileged user to eliminate the basegroup from the secret information; generating a group key for each groupbased on the secret information for each user received from the serverand the inverse-base parameter value; and decrypting a session keyreceived from the server based on the group key for each group.
 35. Themethod as claimed in claim 34, wherein a random number is assigned toeach group, and the random number is used in the generating the secretinformation of each user to be sent to the users of each group.
 36. Themethod as claimed in claim 34, wherein a random number assigned to acorresponding group is used in the generating the inverse-base parametervalue.
 37. The method as claimed in claim 35, wherein the group key foreach group is generated with a random number assigned to thecorresponding group.
 38. The method as claimed in claim 34, whereinintegers for of the generating the base group are coprimes.
 39. Themethod as claimed in claim 34, wherein the inverse-base parameter valueis calculated with at least one random number.
 40. The method as claimedin claim 39, wherein the at least one random number is used the derivingthe group key.
 41. The method as claimed in claim 35, wherein the serverproduces it's own random number which is used in the generating thesecret information for each user.
 42. The method as claimed in claim 41,wherein at least one random number is calculated with the server's ownrandom number, and received by each user from the server.
 43. The methodas claimed in claim 35, wherein a base of the secret information of eachuser contains a base group assigned to each user and a common integercommonly used for all users, and the group key is derived based on thecommon integer.
 44. The method as claimed in claim 35, wherein users ofeach group receive from the server the information of combinations forproducing the corresponding base group.
 45. The method as claimed inclaim 35, wherein an exponent part and a base part are separatelycalculated in the generating the inverse-base parameter value, and theexponent part and base part of the inverse-base parameter value arereceived from the server.
 46. The method as claimed in claim 35, whereineach group is grouped to a plurality of sub-groups, a key value isassigned to corresponding users of each sub-group, and secretinformation for each user is generated through calculations with keyvalue information assigned to the corresponding users of each sub-group.47. The method as claimed in claim 35, wherein, if there are nounauthorized users in a specific group of the groups, a separate keyvalue assigned to each group is established as a group key to thecorresponding group.
 48. The method as claimed in claim 35, wherein thekey value information assigned to the users is received from the serverevery time the server sends the broadcast message.